Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Share tech news, updates, or what's on your mind.

Sign up to Post

Hi There,

I am trying to configure a SonicWall Global VPN (Version 3.1.0.556) client connection on Windows Vista Home Premium but am getting the following error in the log when I try to enable the connection, "No entry in the system IP address Table was found with  index 0x00000i' where i is a number from 1-9.

Does anyone have any clue what's going on here? I had no such problem when installing this client on Windows 7.

Thanks!

KGW
0
I have a Cisco 2800 IOS 12.4 router as the hub with a Cisco 871 IOS 12.4 router at a remote location. I have VTI's on each side and 3DES encryption, the tunnels work and I can ping between each network but transferring a 10MB file takes about 10 minutes. There is a 10MB Down and 2 MB WAN connection on each side. Any help is much appreciated. Thanks in advance. Russ
0
I'm trying to setup an openswan VPN for use with iPhone, IPSec and identity certificates. However, the iPhone is set to use Extended Authentication (XAUTH) and something is failing during that part of the transaction.

I don't need or want Extended Authentication for this connection. Using the RSA certificates is enough. But the iPhone seems to be permanently set to use XAUTH. And if it is set to use XAUTH, the server has to be as well.

Thaks!
0
I have lots of remote sites / branch offices.  I would like to have spoke to spoke communications available.  I'm missing something in the config.  I have the IPSec tunnels, they pass interesting traffice but my HUB configuration is not passing site to site interesting traffic.  Help!
0
I just acquired a customer who has a Cisco ASA5520.  They use this ASA for all site-to-site and remote access VPNs.  I have a question about the remote access VPN setup.  I see that there are 5 VPN groups configured on this ASA.  I can log into all five groups just fine using the Cisco VPN client, but all I need to connect is the group name and password, it does not prompt for a username a password.  Below is an example of how one of the groups are setup:

tunnel-group VPNGROUP1 type ipsec-ra
tunnel-group VPNGROUP1 general-attributes
 address-pool ippool
 authentication-server-group none
 default-group-policy VPNGROUP1
tunnel-group VPNGROUP1 ipsec-attributes
 pre-shared-key *

What part of this configuration is allowing them to just log in using the group name a password?  I'm used to the cisco vpn client also prompting for a username and password.  Thanks.
0
Hi,

The IPsec tunnel on the Fortigate box is not working properly. It was working before and nothing has changed on the network. I have checked the logs on the dial up client (Fortigate box), I get the following message:

Initiator: parsed aggressive mode message # 1 (error)
Negotiate SA Error: probable pre-shared secret mismatch

On the Server (Fortigate box) the log is giving me this message:

Responder: parsed main mode message # 3 (error)
 
How can I make the tunnel go up again?
 

On the Server
0
I have a cisco 2800 IOS router ver 12.4 I setup a VPN for L2TP connections I am able to connect from windows xp no problem. Windows 7 connects briefly and I can ping the remote network for about 15 pings and then it disconnects. Windows event viewer shows

The user MACHINE\user dialed a connection named VPN Connection which has terminated. The reason code returned on termination is 829.

Open in new window


The output of debug vdpn event in the cisco 2800 is

ct 11 17:53:00.721: VPDN Received L2TUN socket message <xCRQ - Session Incoming>
Oct 11 17:53:00.721: VPDN Tnl/Sn 46009 45 L2TUN socket session accept requested
Oct 11 17:53:00.725: VPDN Tnl/Sn 46009 45 Setting up dataplane for L2-L2, no idb
Oct 11 17:53:00.753: VPDN Received L2TUN socket message <xCCN - Session Connected>
Oct 11 17:53:00.757: VPDN uid:44 VPDN session up
Oct 11 17:53:00.877: VPDN Vi3 Virtual interface created for unknown, bandwidth 1000000 Kbps
Oct 11 17:53:00.877: VPDN Vi3 Setting up dataplane for L2-L3, Vi3
Oct 11 17:53:00.881: VPDN Received L2TUN socket message <Dataplane UP>
Oct 11 17:53:00.885: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
Oct 11 17:53:01.885: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Oct 11 17:53:21.070: VPDN Vi3 disconnect (TEST-CMD) IETF: 9/nas-error Ascend: 66/VPDN Local PPP Disconnect
Oct 11 17:53:21.070: VPDN Vi3 vpdn shutdown session, result=2, error=7, vendor_err=0
Oct 11 17:53:21.070: VPDN Vi3 VPDN/AAA: 

Open in new window

0
I have a small branch office that currently has a Pix 506E.  I am going to replace this Pix with a pair of ASA5505s configured in Active/Standby.  The ASA will do NAT/PAT, 5 site-to-site VPN's, a remote access VPN, as well as inbound and outbound ACL's.  There are 20 users at this location.

Reading the Active/Failover documentation from Cisco, I see the ASA5505 does not support Stateful Failover, but all other ASA models do.  Can someone explain what "stateful failover" means. My thinking is that all connections are dropped when failover occurs, and that the users will have to reconnect to their hosted applications.  Am I correct?  Thanks.
0
I am trying to default a cisco vpn connection but its not working.   I am following the procedure from the Cisco website.

Setting a Default Connection Entry

If you have a default connection entry (also known as default profile) configured, the VPN Client opens the default connection entry when you launch it. To make one of your connection entries the default connection entry, use the following procedure:
 
--------------------------------------------------------------------------------

Step 1 Select a connection entry in the list underneath the Connection Entries tab.
 
Step 2 Display the Connection Entries menu or right-click the connection entry name and choose Set as Default Connection Entry.
 
The default connection entry appears as bold in the list of connection entries.

ideas how i can change this?
0
I have a new customer who has a pix 506E.  They have 6 site-to-site VPN's configured on this pix.   I have a Cisco ASA5510.  I am creating a site-to-site VPN from my ASA to their Pix tomorrow.  I also need VPN access to the other 6 locations that the PIX has site to site VPN's to as well.   Will I need to create 6 more site-to-site VPN's on my ASA to have access to those from my network?  Would I be able to somehow get to those other six networks just from the single VPN I will be creating tomorrow?  Thanks.
0
How to implement site-to-site IPsec tunnel Between Cisco 1841 router and Linux Box CentOS 5.5  Using Openswan
0
Hey - you know when people refer to stuff like federal info processing standards are they on about disk level encryption? Or data in transit?
For example are there FIPS compliant protocols? Or is it just FIPS compliant encryption software for data at rest?
For example if someone sells your FIPS compliant encryption - what are they selling you? A disc encryption, or someone sort of encrypted certifacate?
Excuse my ingorance (please bare that in mind in your responses).
0
Hi Folks,
 I would really value some advice regarding a Cisco ACL policy design. I am a Voice engineer and I have setup an Asterisk High Availability cluster and I have a Cisco 1841 controlling the LAN/WAN access to this cluster.

I have quite a few clients who will be using this cluster for hosted telephony and they all have fixed IP addresses that I can add to the cisco ACL and allow full access to their SIP/IAX phones for registration.

Here is the problem:

Some of my clients have home connections and their routers have dynamic IP's so I can't open the IP for access to them as their IP may change. I also have clients that have SIP clients on their mobile phones and we have a similar problem with these.

I can't run a mac-address filter on the router as it is a layer 3 device and the only option that I could see is maybe an ipSEC or PTPP.

Does anyone have any sugestions?

0
Hello, I have a Cisco 2800 IOS 12.4 router setup as the head end of a point to multi-point VPN network with one each Cisco 871 IOS 12.4 routers at two separate remote locations. Each location has Comcast Internet. The routers are all configured and have access to the Internet at each location. The problem is I cannot ping or access the LAN between the routers. All the interfaces including Tunnels are up so I think it may be NAT here are the configs

CISCO 2800 IOS 12.4 ROUTER HEAD END
Current configuration : 5833 bytes
!
! Last configuration change at 07:08:07 MST Sun Oct 9 2011 by Admin
! NVRAM config last updated at 07:08:09 MST Sun Oct 9 2011 by Admin
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO2800HEADEND
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$IDj5$v4MYtN1vnZeULbDa8ZRvn1
!
aaa new-model
!
!
aaa authentication login default local-case
!
!
aaa session-id common
clock timezone MST -7
clock summer-time MST recurring
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.3.1 192.168.3.99
ip dhcp excluded-address 192.168.3.151 192.168.3.254
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1
   dns-server 75.75.75.75 8.8.8.8
   domain-name ourdomain.local
!
!
no ip bootp server
no ip domain lookup
ip name-server 75.75.75.75
ip name-server 8.8.8.8

Open in new window

0
Hi
I am looking for the matrial of some security courses where can I found them..free or payable does not matter..
I am looking for CEH, CISA, CISSP CCNA as an example.
0
Hello,

I installed freeradius2 with mysql module on centos. and everything works well. i mean i create user on mysql database and test it with "radtest" and received request-accept message.

Now, I wanna connect to server with PPTP, L2TP and OpenVPN connection and when to trying it i receive error and connection not established.

anyone know how I should do it?
0
Is it possible to have one user on the Cisco VPN client tunnel all internet requests though the tunnel instead of there local network?
0
Hi ,Any ideas for these messages on 1811 ?trying to create site to site tunnel between RV042 and cisco 1811.

1811 Log SHOWS :

%CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE packet from 1.2.3.4 was not encrypted and it should've been.
%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 1.2.3.4 failed its sanity check or is malformed
0
I have got cisco 3750 and ASA and getting the "error message received encrypted packet with no matching sa dropping"
After googling i have come across usually you get the error message when there is an ACL mismatch however i am sure ACLs are same please see the config below and advise:


ASA Version 8.0(2)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 21.21.21.1 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.10.6.200 255.255.255.0
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list new extended permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
access-list policy-nat extended permit ip 10.10.6.0 255.255.255.0 192.168.3.0 255.255.255.0 log
pager lines 24
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
static (inside,outside) 192.168.2.0  access-list policy-nat
route outside 0.0.0.0 0.0.0.0 21.21.21.2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00…
0
I have succesfully set up RADIUS authentication for Cisco VPN users to authenticate against the Windows Server 2003 AD with IAS.  Configured on Cisco ASA 5510 but will also firld to 5505 and Cisco PIX 501.

Is there a way to automatically populate the DOMAIN field on the Cisco login prompt which consist of a Cisco dialogue box with fields for USERNAME, PASSWORD, and DOMAIN.
0
Since the Cisco VPN Client is reaching end of life, I'm looking for another solution.  Right now I have thousands of users who use the Cisco VPN Client to connect to their hosted applications.  I would like to go with Cisco AnyConnect, but I'm a little unsure about the licensing.  I see there is AnyConnect Premium and AnyConnect Essentials.  AnyConnect Premium is way out of my budget, but AnyConnect Essentials seems affordable.  I'm looking for someone who has used AnyConnect Essentials.  I have read the documentation, but I'm still unsure how AnyConnect Essentials works.  Do I get to it via a webpage, or do I need to install the client on all machines.  How many AnyConnect Licenses can go on a ASA5510?  I have read Cisco's documentation on AnyConnect, but not using it before I want to be sure that AnyConnect Essentials will do everything that the Cisco VPN Clients does.  Thanks.
0
Dear ,

i do config VPN  remote access in my ASA   now all user outside can connect to VPN when they write in Host remote access (80.80.80.80) but I want from inside i have some users want have  VPN remote client when I put in host software vpn remote client(80.80.80.80)  they can't connect VPN  , so tell me what is solution we I to to let internal  can access to remote VPN client
note
1- I can't put static ip to user inside
2- if need i'll send config ASA

Drawing1.jpg
0
Hi Guys,

I am trying to configure a Fortigate 50GB to pass through VPN requests to a Microsoft 2003 RASS server. Any idea on the best way to do this? I am having no luck.
0
Hello to all Cisco experts

I have few questions regarding VPN tunnels between Cisco 881 and ASA 5510

I am supposed to built few of them with 881 at the branches ends and 5510 at my central location.

The questions I have are mostly in regards with 881 at the branch ends. I got these routers directly from Cisco for a project pilot we are running with them for one of our important customer.  Beside the console port the following ports are available on the back panel

A FastEthernet switch  with 4 ports  (FE0 to FE3)
One FEWAN  port marked as FEWAN  (FE04 in configuration file)
A virtual LAN VLAN1 which of course does not have a physical port, so my assumption is that the switch ports   FE0 to FE3 are part of this VLAN1

All I need is to create VPN tunnels  between these routers and my ASA 5510.  

Here are my question:

1. It appears that an IP  can be assigned to interfaces VLAN1 and FE04 only. I think the VLAN1 is for internal IP an FastEthernet4 for external IP.  What is the approach here?

       a. Put the DSL modem in bridge mode and assign the external  IP to FEWAN  FE04 and Interal IP to the VLAN1 interface (this IP will act as gateway for internal subnet)
       b.  Put the DSL in bridge mode and configure 881 to act as PPPoE client ?

2. Is there a good document how to set this up ?

Thank you for taking the time to read and (hopefully) reply to my question

Cheers

0
Hi Guys,

Trying to get L2TP (certifcates) to work between my VPN clients and ISA2004 server.

Have the following:

My own CA server on Domain X
My ISA server is stand-alone (not part of the domain)
Windows XP / 7 clients

Have installed a CA certifcate in the Trusted Root of ISA.  (This works fines as I use it for SSL traffic for OWA client -> ISA -> Exchange)

Using the CA web page http://local_ip/certsvr I have install a user certifcate on my client machine.

I have setup ISA to accept L2TP and use certifcate authentication.
I have setup the client to use L2TP and selected the certificate to use for authentication

Get error : the connection requires a certificate and no certifcate was found.  - Have checked the certifcate is there.

When using the L2TP and the pre-shared key - all works well.  So I know its a certificate issue.

Anyone came across this before.

Any help... much appreciated.

IM
0

Internet Protocol Security

Internet Protocol Security (IPsec) is a protocol suite for secure Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a communication session. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used in protecting data flows between a pair of hosts (host-to-host), between a pair of security gateways (network-to-network), or between a security gateway and a host (network-to-host). IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol Suite.

Top Experts In
Internet Protocol Security
<
Monthly
>